Privacy Policy

This privacy notice tells you what to expect us to do with your personal information.

  1. Contact details

  2. What information we collect, use, and why

  3. Lawful bases and data protection rights

  4. Our lawful bases for the collection and use of your data

  5. Where we get personal information from

  6. How long we keep information

  7. Who we share information with

  8. How and Why We or Our Processors May  Share Your Data

  9. How to complain

1. Contact details

Email: contact@empathic-psychologist.com

2. What information we collect, use, and why

We collect various categories of personal information to provide you with our Services and fulfil our duties of care and contractual obligations such as: psychological and psychotherapeutic care, supervision, educational services and other products; safeguarding or public protection reasons and to comply with legal requirements; client portal functionality; communications and marketing; dealing with queries, complaints or claims; and for anonymised service evaluation, statistical analysis and publication purposes.

 The information we may collect or use for one or more of these purposes is outlined below:

  • Name, address and contact details (including parental contacts for children/young people clients)

  • Gender and sexual orientation information including pronoun preferences

  • Date of birth

  • Emergency contact details

  • Health information (e.g. medical/mental health conditions/history, allergies, medical requirements)

  • Information about care needs (e.g. disabilities, other care provisions)

  • Psychometric test results (e.g. psychological outcome evaluations)

  • Payment details (including card information)

  • Clinical records of sessions and decisions

  • Personal doctor (all clients) and school (applicable to children/young people clients) contact details

  • Account information, including registration details

  • Information used for security purposes

  • Purchase or service history

  • Correspondence

  • Safeguarding information

  • Brief description of presenting issue

  • Any other personal information required to comply with legal obligations

3. Lawful bases and data protection rights

Under GDPR-EU we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in GDPR EU. You can find out more about lawful bases on the EU-GDPR legislation website chapters.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the EU-GDPR legislation website:

  • Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.

  •   Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.

  •  Your right to erasure - You have the right to ask us to delete your personal information.

  •  Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information.

  •  Your right to object to processing - You have the right to object to the processing of your personal data.

  •  Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.

  •  Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

4. Our lawful bases for the collection and use of your data

We process data you provide us lawfully, fairly, and transparently. Under the GDPR-EU, our legal bases include Contract obligations, compliance with Legal Obligations, Vital interests as well as your Consent and/or our Legitimate Interests, provided these are not overridden by your rights.

Our lawful bases for collecting or using personal information to provide psychological and psychotherapeutic care, supervision, educational services, and other products are:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability. You right to consent might not be apply when data processing is necessary to protect the vital interests of the client or others such as: Serious Risk of Harm, Legal Obligation/Public Interest or Inability to Give Consent.

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

  • Legitimate interests - we’re collecting or using your information because it benefits you and our service ensuring accountable, safe, effective and ethical practice, without causing an undue risk of harm to anyone.

Our lawful bases for collecting or using personal information for safeguarding or public protection reasons are:

  • Legal Requirements (Legal Obligation): To document decisions as  necessary for compliance with a legal obligations related to psychological practice and comply with applicable laws, court orders, or regulatory requirements

 

Our lawful bases for collecting or using personal information for client portal functionality are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

Our lawful bases for collecting or using personal information to comply with legal requirements are:

  • Legal obligation – we have to collect or use your information so we can comply with applicable law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

  • Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

 

Our lawful bases for collecting or using personal information for Communications and marketing:

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All other data protection rights may apply, except the right to erasure, the right to object, and the right to data portability. Our legitimate interests are

    To communicate with existing/new clients and subscribers about new features and service updates, security notices, invoices, and responding to inquiries. To inform about newly developed services or material, special offers/ promotional opportunities to help maximize value.

You may opt out of non-essential emails (e.g. news/ practice communications) at any time using the opt-out link provided or by emailing us. You cannot opt out of essential communications like therapy updates or billing notices while your therapy contract is active.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

 

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

  • Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

 

Our lawful bases for collecting or using anonymised personal information Service evaluation, statistical analysis and publication purposes are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All other data protection rights may apply, except the right to erasure, the right to object, and the right to data portability. Our legitimate interests are:

Analysis and improvement of service effectiveness and research. This data information is converted into anonymised and non-identifiable numerical data, and aggregated with other data for group-level analysis. You may withdraw your consent up until the data has been incorporated into the compiled dataset by contacting us using the information provided above. After this point, withdrawal of data is not possible as it is de-identified and cannot be linked back to any individual. In case of publication all data is fully anonymised and non-identifiable and cannot be linked back to any individual.

5. Where we get personal information from

  • Directly from you

  • Family members or carers (for children/young people therapy)

  • Other health and care providers

  • Schools or other education organisations

6. How long we keep information

Personal data is stored as follows and then is permanently deleted or anonymized by the data processor.

7. Who we share information with

Data processor

 Our data processor is Zanda Health and uses Personal Data in line with Zanda’s Privacy Policy.

Zanda Health processes Account Data lawfully, fairly, and transparently. Under the EU GDPR our legal bases for sharing information with Zanda Health include consent, compliance with legal obligations, and/or our legitimate interests, provided these are not overridden by your rights.

Purposes:

Contract Provision (Contract): To deliver our Services (e.g., appointment booking, telehealth, billing), and support your account.

Communications(Consent / Legitimate Interests): To send operational updates, service communications, security notices, invoices, and respond to inquiries.

Customer Support (Legitimate Interests): To assist with technical issues and improve your user experience.

Analysis & Development (Legitimate Interests): To analyze usage data, improve our service’s functionality, and ensure Services reliability and security.

Legal Requirements (Legal Obligation): To comply with applicable laws, court orders, or regulatory requirements and GDPR requirements in relation to processing your data and maintaining your legal rights.

Payment processor

 Our payment processor is Stripe and uses and processes your complete payment information in accordance with their applicable privacy policy Stripe.

 If you sign up for any of our paid services with us using a payment card, your sensitive card information is encrypted and stored directly by Stripe using industry-leading security measures. Your card information is never stored on our systems, and we never have access to it. Review Stripe’s Security Protocol HERE.

Purposes:

Contract Provision (Contract/ Consent): We process your information as necessary for us to provide you with the Services and/or perform our contract(s) with you. We cannot fulfill any contract to you unless you conent to use using your information for these purposes.

Legal Requirements (Legal Obligation): To comply with applicable laws, court orders, or regulatory requirements and GDPR requirements in relation to processing your data and maintaining your legal rights.

8. How and Why We or Our Processors May  Share Your Data

With Your Consent or Instruction:

We will not disclose personal data unless required or permitted by law, or we have your express consent to do so.

Processors:

Our processor works with trusted service providers who follow strict data protection rules. They receive only the minimum personal data required to perform their tasks on our behalf. They do not share any Personal Health Data or Customer Data with processors. Processors List is regularly reviewed and updated as needed.

Third-parties:

Our processor may share your data with trusted third-party vendors to operate our business and deliver our Services. They receive only the minimum personal data required to perform their tasks. These vendors fall into two categories:

Processors – Vendors that support Zanda’s and Stripe’s business operations, such as customer support, billing, and compliance tools. They do not share any Personal Health Data or Customer Data with processors.

Sub-processors – Vendors that enable Zanda’s and Stripe’s software functionalities, such as cloud hosting, data storage, and payment processing.

Legal or Moral Requirements:

We and or our processors may disclose personal data to law enforcement, regulatory bodies, or healthcare professionals in emergencies where it’s necessary to protect life or prevent serious harm, or to comply with a legal obligation.

International Data Transfers

Zanda and Stripe operate globally. Where they transfer personal data outside our jurisdiction (e.g., EEA), they use appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission, to ensure an equivalent level of data protection.

Others we share personal information with

·       Other health and care providers (eg GPs and consultants)

·       Educational or pastoral care providers

·       Organisations we need to share information with for safeguarding reasons

·       Emergency services

Duty of confidentiality

We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:

·       you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);

·       we have a legal requirement (including court orders) to collect, share or use the data;

on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).

9. How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Commissioner for personal data protection.

Office address:
kypranoros 15, Nicosia 1061 , Cyprus

Postal address
P.O.Box 23378, 1682 Nicosia, Cyprus

Tel: +357 22818456
Fax: +357 22304565

Email: commissionerdataprotection.gov.cy